Upload
marshall-mahachi
View
218
Download
0
Embed Size (px)
Citation preview
8/10/2019 IN GSM Notes
1/62
IN
Intelligent Network
Basic IN concept & technology
Some basic IN services
8/10/2019 IN GSM Notes
2/62
Intelligent Network (IN) Concept
The intelligent network concept:intelligence is takenout of exchanges and placed in computer nodes thatare distributed throughout the network.
Intelligence => access to various databases
This provides the network operator with the meansto develop and control servicesmore efficiently. Newcapabilities can be rapidly introduced into the
network. Once introduced, services are easilycustomized to meet individual customer's needs.
8/10/2019 IN GSM Notes
3/62
Intelligent Network (IN) Concept
Exchange
STP SCP
SSP
Service Control Point(a network element containing
the service logic, a database orregister)
Service Switching Point(enables service triggering in an
exchange)
MAP
INAPCAP
ISUP
Operator implements service logic (IN Service)
8/10/2019 IN GSM Notes
4/62
8/10/2019 IN GSM Notes
5/62
Typical call-related IN procedure (1)
SSP
Exchange
SCP
1.
2.
3.
4.
5.Exchange
1.Call routing proceeds up to Exchange
2.Trigger activated in Basic Call State Modelat SSP
3.SSP requests information from SCP (database)
4.SCP provides information
5.Call routing continues (routing to next exchange)based on information received from SCP
8/10/2019 IN GSM Notes
6/62
SSP
Exchange
SCP
1.
2.
3.
4.
5.Exchange
2.Trigger activated in Basic Call State Model at SSP
Typical triggers:
Called number (or part of number)Called user (destination) is busyCalled user does not answer in predefined time
Typical call-related IN procedure (2)
8/10/2019 IN GSM Notes
7/62
SSP
Exchange1.
2.
3.
5.Exchange
Example: Number translation in SCP
SSP sends 800 number (0800 1234)
SCP translates into real number whichis used for routing the call(+358 9 1234567)
4.SCP provides information
SCP
Typical call-related IN procedure (3)
translationmay be
based onseveral
variables
4.
8/10/2019 IN GSM Notes
8/62
Destination 1
SCP decides the destination of the call depending on the
calling time or date:
9.00 - 17.00 => Destination 117.00 - 9.00 => Destination 2
SCP
Examples of how SCP can affect call (1)
Destination 2
SSP
Exchange
Called number
Time or date
8/10/2019 IN GSM Notes
9/62
Destination 1
SCP decides the destination of the call depending on the
location of calling user:
Calling user in southern Finland => Destination 1Calling user in northern Finland => Destination 2
SCP
Examples of how SCP can affect call (2)
Destination 2
SSP
Exchange
Called number, Calling number
8/10/2019 IN GSM Notes
10/62
Destination 1
SCP decides the destination of the call depending on the
traffic load in the network:
Traffic load situation 1 => Destination 1Traffic load situation 2 => Destination 2
SCP
Examples of how SCP can affect call (3)
Destination 2
SSP
Exchange
Called number
Network load
8/10/2019 IN GSM Notes
11/62
Intelligent Peripheral (IP)can (a) send announcements
to the user (usually: calling user) and (b) receive DTMFdigitsfrom the user. IP is not a database; connection toexchange not via SS7, instead via digital TDM channels.
SCP
Additional IN features (1)
SSP
Exchange Exchange
IP
8/10/2019 IN GSM Notes
12/62
Typical applications:1) Whenever services need user interaction
2) User authentication
SCP
Additional IN features (2)
SSP
Exchange Exchange
IP
8/10/2019 IN GSM Notes
13/62
SCP
User interaction in IN service
SSP
Exchange Exchange
IP
1.
4.
2.
3.
1.SCP orders IP to select and send announcement
2.IP sends announcement to calling user
3.User replies by giving DTMF number(s) to IP
4.IP sends number information to SCP in a signallingmessage
Announcement:for this .. press 1,for that .. press 2
8/10/2019 IN GSM Notes
14/62
SCP
User authentication (1)
SSP
Exchange Exchange
IP
1.
4.
2.
3.
1.SCP orders IP to select and send announcement
2.IP sends announcement to calling user
3.User gives authentication code (in DTMF form) to IP
4.IP sends authentication code to SCP in a signallingmessage
Announcement:please press yourPIN code ...
8/10/2019 IN GSM Notes
15/62
SCP
User authentication (2)
SSP
Exchange
IP
1.
3.
2.
Display message:please press yourPIN code ...
When connected to the network via a digital
subscriber line, the calling user can benotified with a digital message (please pressyour PIN code ...) instead of having to usethe corresponding voice announcement.
1.
8/10/2019 IN GSM Notes
16/62
IN services
A large number of IN services can be implemented bycombining different building blocks:
Called number translation (at SCP)
Routing decision based on calling number,
time, date, called user busy, called useralerting timeout, network load ...
Announcements (from IP) or user notification(
8/10/2019 IN GSM Notes
17/62
IN service examples
Traditional IN services:
- Freephone / customised charging schemes
- Virtual Privat Network (VPN)
- Number portability
- Televoting
IN in mobile networks:
- Mobility management (HLR, VLR = databases)
- Security management (Authentication ...)- Additional IN services in mobile networks =>CAMEL (Customised Applications for Mobilenetworks Enhanced Logic)
8/10/2019 IN GSM Notes
18/62
Freephone (800) service
User calls 0800 76543. SSP sends this number to SCPwhich after number analysis sends back to SSP thereal destination address (09 1234567) and call can berouted to the destination. Called party is charged.
SSP
Exchange
SCP
1.
2.
3.
4.
5.Destination
Charging: Destination (service subscriber)pays the bill
8/10/2019 IN GSM Notes
19/62
Premium rate service
User calls 0200 34343. SSP sends this number to SCPwhich after number analysis sends back to SSP thereal destination address (09 676567) and call can berouted to the destination. Calling party is charged.
SSP
Exchange
SCP
1.
2.
3.
4.
5.Destination
Charging: Calling user (customer) pays the (usually ratherexpensive) bill. Both service subscriber and service provideror network operator make profit!
8/10/2019 IN GSM Notes
20/62
Virtual private network (VPN) service
A VPN provides corporate customers with a privatenumber plan within the PSTN. The customer dials aprivate (short) number instead of the complete publicnumber in order to contact another user within the VPN.User authentication is usually required.
SSP
Exchange
SCP
Destination
IPUser authentication
Number translation: 1212 => 09 1234567
Customised charging
8/10/2019 IN GSM Notes
21/62
Screening of incoming calls
This is an example of an IN service related to the calldestination end. Alert called user only if calling numberis 121212 or 234567, otherwise do something else (e.g.reject call or redirect call to another destination).
SSP
Exchange
SCP
Called user
Calling number = 121212 or 234567: AcceptAll other calling numbers: Reject or redirect
Local exchange of called user
8/10/2019 IN GSM Notes
22/62
VLR
Mobile terminated call (MTC)
By far the most important "IN service" is mobilitymanagement during a mobile terminated call (MTC),which means finding out under which exchange ormobile switching center (MSC) a mobile user isroaming, so that the call can be routed to this
exchange. More about this later.
GMSC
HLR
1.
2.
5.
6.
Serving MSC
3.
4.
7.
8/10/2019 IN GSM Notes
23/62
More about IN and IN services
The link www.iec.org/online/tutorials/in provides someexamples in Section 10 (AIN Service Creation Examples),for instance:
Exampleof servicecreation
template:
8/10/2019 IN GSM Notes
24/62
8/10/2019 IN GSM Notes
25/62
Cellular concept
A cellular network contains a large number of cellswitha base station(BS) at the center of each cell to whichmobile stations(MS) are connected during a call.
BS
BS
BS
BS
MS
If a connected MS(MS in call phase)moves between twocells, the call is notdropped.
Instead, the network
performs a handover(USA: handoff).
8/10/2019 IN GSM Notes
26/62
Mobility concept
A cellular network is divided into location areas (LA),each containing a certain number of cells.
As long as an idle MS(idle = switched on)moves within a locationarea, it can be reachedthrough paging.
If an idle MS moves betweentwo location areas, it cannot bereached before it performslocation updating.
Location Area 1
Location Area 3
LocationArea 2
8/10/2019 IN GSM Notes
27/62
8/10/2019 IN GSM Notes
28/62
Serving MSC
GSMBSS
3G
RAN PS core network
CS core network
GMSCMSC
VLR
HLR
AuC
EIR
PSTN
In
ternet
The serving mobile switchingcenter (MSC) is the mobilecounterpart to the localexchange in the PSTN.
This is the MSC that is currentlyserving a mobile user.
8/10/2019 IN GSM Notes
29/62
VLR
GSMBSS
3G
RAN PS core network
CS core network
GMSC
HLR
AuC
EIR
PSTN
In
ternet
The visitor location registerstores temporary informationon mobile users roaming in alocation area under thecontrol of the MSC/VLR.
MSC
VLR
8/10/2019 IN GSM Notes
30/62
Gateway MSC
GSMBSS
3G
RAN PS core network
CS core network
GMSC
HLR
AuC
EIR
PSTN
In
ternet
MSC
VLR
The gateway MSC (located in the homePLMN of a mobile user) is the first contactpoint in the mobile network when there isan incoming call to the mobile user.
8/10/2019 IN GSM Notes
31/62
HLR
GSMBSS
3G
RAN PS core network
CS core network
GMSC
HLR
AuC
EIR
PSTN
In
ternet
The home location registerstores information on mobileusers belonging to this mobilenetwork (e.g. subscription dataand present VLR under whichthe mobile user is roaming).
MSC
VLR
8/10/2019 IN GSM Notes
32/62
AuC
GSMBSS
3G
RAN PS core network
CS core network
GMSC
HLR
AuC
EIR
PSTN
In
ternet
The authentication center safelystores authentication keys (Ki)of mobile subscribers belongingto this mobile network.
MSC
VLR
8/10/2019 IN GSM Notes
33/62
8/10/2019 IN GSM Notes
34/62
8/10/2019 IN GSM Notes
35/62
CS core network
GSMBSS
3G
RAN PS core network
CS core network
GMSC
HLR
AuC
EIR
PSTN
In
ternet
MSC
VLRThe CS core network architecture isbasically the same in 2G (GSM) and 3G
mobile networks.
In North America, IS-MAP signalling isused instead of GSM-MAP signalling.
Europe: GSM core network
N. America: ANSI-41 core network
8/10/2019 IN GSM Notes
36/62
8/10/2019 IN GSM Notes
37/62
Range of functions
GSMBSSor3G
RAN
PS core network
CS core networkRRM
MM
CC
SM
8/10/2019 IN GSM Notes
38/62
Random access in a mobile network
Communication between MS and network is not possiblebefore going through a procedure called random access.
Random access must consequently be used in:
Network-originated activity
paging, e.g. for a mobile terminated call (MTC)
MS-originated activityIMSI attach, IMSI detatchGPRS attach, GPRS detachlocation updating
mobile originated call (MOC)SMS (short message service) message transfer
1
8/10/2019 IN GSM Notes
39/62
Random access in action (GSM)
1. MS sends a short access burst over the RandomAccess CHannel(RACH) in uplink using Slotted Aloha (incase of collision => retransmission after random time)
2. After detecting the access burst, the network returnsan immediate assignment message which includes the
following information:
- allocated physical channel (frequency, time slot) inwhich the assigned signalling channelis located
- timing advance (for correct time slot alignment)
3. The MS now sends a message on the dedicatedsignalling channel assigned by the network, indicatingthe reason for performing random access.
1
8/10/2019 IN GSM Notes
40/62
Multiplexing vs. multiple access
In downlink, multiplexing (e.g. TDM)
In uplink, multiple access (e.g. TDMA)
Multiple access is always associated with randomaccess. MS requests signalling channel, and networkdecides which channel (e.g. time slot) will be used.
Network decides channel
Network decides channel also in this case
8/10/2019 IN GSM Notes
41/62
1) PIN code (local authentication of handset=> local security measure, network is not involved)
2) Authentication (performed by network)
3) Ciphering of information sent over air interface
4) Usage of TMSI (instead of IMSI) over air interface
IMSI= International Mobile Subscriber Identity(globally uniqueidentity)
TMSI= Temporary Mobile Subscriber Identity(local and temporaryidentity)
Security measures in a mobile network
8/10/2019 IN GSM Notes
42/62
Algorithm Algorithm
The same? If yes,authentication is successful
SIM(in handset)
Airinterface
Network (algorithmrunning in AuC)
Random numberChallenge
Response
Authentication key Authentication key
RAND
SRESS
Ki Ki
Basic principle of authentication2
SRESA
8/10/2019 IN GSM Notes
43/62
Algorithm for calculating SRES runs within SIM (userside) and AuC (network side). The authentication key(Ki) is stored safely in SIM and AuC, and remains thereduring authentication.
The two SRES values are compared in the VLR.
Where does the algorithm run?2
AuCSIMVLR
Air interface
SRESS SRESA
RAND
Ki Ki
8/10/2019 IN GSM Notes
44/62
Using output and one or more inputs, it is in practicenot possible to calculate backwards other input(s),brute force approach, extensive search
Key length in bits (N) is important (in case of bruteforce approach 2Ncalculation attempts may be needed)
Strength of algorithm is that it is secret => bad idea!Security through obscurity
Better: open algorithm can be tested by engineeringcommunity (security through strong algorithm)
Algorithm considerations2
8/10/2019 IN GSM Notes
45/62
HLR
MSC
VLR 1
Most recently allocated TMSI and last visited LAI (Location
Area ID) are stored in SIM even after switch-off.After switch-on, MS monitors LAI. If stored and monitoredLAI values are the same, no location updating is needed.
(Most generic scenario, see van Bosse for details)
MSC
VLR 2
IMSI
LAI 1TMSI
LAI 1
IMSILAI 1
3
(in broadcast messages)
Case study: Location updating (1)
SIM
IMSITMSI
8/10/2019 IN GSM Notes
46/62
SIM
MSC
VLR 1
MS has moved from a cell belonging to VLR 1 to anothercell belonging to VLR 2.
MS notices that the LAI values are different => locationupdate is required!
MSC
VLR 2
LAI 2
HLR
(in broadcastmessages)
3 Location updating (2)
IMSILAI 1
IMSITMSI
IMSI
LAI 1TMSI
8/10/2019 IN GSM Notes
47/62
SIM
MSC
VLR 1
MSC
VLR 2
HLR
3 Location updating (3)
IMSILAI 1
SIM sends old LAI (i.e., LAI 1) and TMSI to VLR 2.
VLR 2 does not recognize TMSI since there is no TMSI-IMSI context. Who is this user?
LAI 1, TMSI
No TMSI- IMSI context!
IMSITMSI
IMSI
LAI 1TMSI
8/10/2019 IN GSM Notes
48/62
8/10/2019 IN GSM Notes
49/62
SIM
MSC
VLR 1
MSC
VLR 2
HLR
3 Location updating (5)
IMSITMSI
Important:HLR must be updated (new LAI). If this is not
done, incoming calls can not be routed to new MSC/VLR.
HLR also requests VLR 1 to remove old user data.
IMSITMSI
IMSILAI 1LAI 2
LAI 2
IMSI
LAI 1TMSI
8/10/2019 IN GSM Notes
50/62
SIM
MSC
VLR 1
MSC
VLR 2
HLR
3 Location updating (6)
IMSILAI 2
VLR 2 generates new TMSI and sends this to user. User
stores new LAI and TMSI safely in SIM.
Location updating was successful!
IMSI
LAI 1TMSILAI 2TMSI
LAI 2TMSI
IMSITMSITMSI
8/10/2019 IN GSM Notes
51/62
Trade-off when choosing LA size
Affects signalling load
If LA size is very large(e.g. whole mobile network)
location updating not needed very oftenpaging load is very heavy
If LA size is very small(e.g. single cell)
small paging load
location updating must be done very often
High paging channel capacity required
+
+
3
8/10/2019 IN GSM Notes
52/62
Role of TMSI
MS NetworkRandom access
Authentication
Start ciphering
IMSI detach New TMSIallocated by
networkNew TMSI stored in SIM
CC or MM transaction
UsesTMSI
IMSI is not
sent over airinterface if
not absolutelynecessary!
8/10/2019 IN GSM Notes
53/62
Mobile network identifiers (1)
SNCCMSISDN
CC = Country Code (1-3 digits)NDC = National Destination Code (1-3 digits)SN = Subscriber Number
NDC=
Globallyuniquenumber
E.164 numberingformat
Mobile station ISDN (MSISDN) numbers are based on theITU-T E.164 numbering plan and can therefore be used forrouting a circuit-switched call.
When the calling (PSTN or PLMN) user dials an MSISDNnumber, the call is routed to the gateway MSC (GMSC)located in the home network of the called (mobile) user.
8/10/2019 IN GSM Notes
54/62
Mobile network identifiers (2)
TNCCMSRN
CC = Country Code (1-3 digits)NDC = National Destination Code (1-3 digits)TN = Temporary Number
NDC=
Temporarilyallocatednumber
E.164 numberingformat
Mobile station roaming numbers (MSRN) are also basedon the ITU-T E.164 numbering plan and can therefore beused for routing a circuit-switched call.
The MSRN is selected by the MSC/VLR serving the called(mobile) user, sent to the GMSC, and used for routing thecall from the GMSC to the serving MSC.
8/10/2019 IN GSM Notes
55/62
Mobile network identifiers (3)
MSINMCCIMSI
MCC = Mobile Country Code (3 digits)MNC = Mobile Network Code (2 digits)MSIN = Mobile Subscriber Identity Number
(10 digits)
MNC= E.212 numberingformat
The international mobile station identity (IMSI) is basedon the ITU-T E.212 numbering plan and cannot be usedfor routing a circuit-switched call (exchanges or switching
centers do not understand such numbers).
The IMSI is stored in the HLR and SIM of the mobile user.
Globallyuniquenumber
8/10/2019 IN GSM Notes
56/62
Mobile network identifiers (4)
LACMCCLAI
MCC = Mobile Country Code (3 digits)MNC = Mobile Network Code (2 digits)LAC = Location Area Code (10 digits)
MNC= E.212 numberingformat
The location area identity (LAI) points to a location areabelonging to a certain MSC/VLR. This identity must bestored in the HLR so that mobile terminated calls can berouted to the correct serving MSC/VLR.
Globallyuniquenumber
IMEI Serial number of handset (not SIM)
8/10/2019 IN GSM Notes
57/62
4 Case study: Mobile terminated call (1)
VLR
1. Using the MSISDN number (dialled by the callinguser located in the PSTN or the PLMN of anotheroperator) and standard SS7/ISUP signalling, thecall is routed to the GMSC in the home networkofthe called mobile user.
GMSC
HLR
1.
2.
4.
5.
Serving MSC
3.
4.
6.
(see van Bosse for details)
8/10/2019 IN GSM Notes
58/62
4 Mobile terminated call (2)
VLR
GMSC
HLR
1.
2.
4.
5.
Serving MSC
3.
4.
6.
2. The GMSC contacts the HLR of the called mobileuser. The SS7/MAP signalling message containsthe MSISDN number which points to the mobileuser record (containing IMSI, LAI where user isroaming, etc.) in the HLR database.
8/10/2019 IN GSM Notes
59/62
4 Mobile terminated call (3)
VLR
GMSC
HLR
1.
2.
4.
5.
Serving MSC
3.
4.
6.
3. Using global title translation (GTT), the HLRtranslates the IMSI and LAI information into thesignalling point code of the serving MSC/VLR.
The HLR sends SS7/MAP request Provide roaming
number (i.e. MSRN) to the VLR.
8/10/2019 IN GSM Notes
60/62
4 Mobile terminated call (4)
VLR
GMSC
HLR
1.
2.
4.
5.
Serving MSC
3.
4.
6.
4. The VLR selects a temporary MSRN. Note thatthere must be binding between MSRN and IMSI inthe VLR.
The VLR sends the MSRN to the GMSC (using
SS7/MAP signalling).
MSRN IMSI
8/10/2019 IN GSM Notes
61/62
4 Mobile terminated call (5)
VLR
GMSC
HLR
1.
2.
4.
5.
Serving MSC
3.
4.
6.
5. Using the MSRN number and standard SS7/ISUPsignalling, the call is routed to the serving MSC.
Although not shown in the figure, there may beintermediate switching centers (serving MSC/VLR
may be located at the other end of the world).
8/10/2019 IN GSM Notes
62/62